'High-Risk Vulnerabilities' In Oracle File-Processing SDKs Affect Major Third-Party Products (csoonline.com) 11
itwbennett writes: "Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors," writes Lucian Constantin on CSOonline. The vulnerabilities, which were found by researchers from Cisco's Talos team, are in the Oracle Outside In Technology (OIT), a collection of SDKs that are used in third-party products, including Microsoft Exchange, Novell Groupwise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance Encase and Veritas Enterprise Vault.
"It's not clear how many of those products are also affected by the newly patched seventeen flaws, because some of them might not use all of the vulnerable SDKs or might include other limiting factors," writes Constantin. But the Cisco researchers confirmed that Microsoft Exchange servers (version 2013 and earlier) are affected if they have WebReady Document Viewing enabled. In a blog post the researchers describe how an attacker could exploit these vulnerabilities.
TL;DR version: "Attackers can exploit the flaws to execute rogue code on systems by sending specifically crafted content to applications using the vulnerable OIT SDKs."
"It's not clear how many of those products are also affected by the newly patched seventeen flaws, because some of them might not use all of the vulnerable SDKs or might include other limiting factors," writes Constantin. But the Cisco researchers confirmed that Microsoft Exchange servers (version 2013 and earlier) are affected if they have WebReady Document Viewing enabled. In a blog post the researchers describe how an attacker could exploit these vulnerabilities.
TL;DR version: "Attackers can exploit the flaws to execute rogue code on systems by sending specifically crafted content to applications using the vulnerable OIT SDKs."
Uncle Larry's yachts have all been patched (Score:4)
The way Oracle sits on so many vulns for so long until aged to perfection is quite remarkable.
Even more remarkable nature of exploits themselves "159 can be exploited remotely without authentication"
I can only assume Oracle shops will install this latest batch of updates and get back to business as usual without batting an eye or even contemplating pushing back at all against this batshit insanity.
Re: (Score:2)
"I can only assume Oracle shops will install this latest batch of updates and get back to business as usual without batting an eye or even contemplating pushing back at all against this batshit insanity"
What would you propose Oracle shops do instead? It's not like anyone, anywhere, has the slightest idea how to code defect free software or fix 70 million lines or so of existing defective code.
Re: Uncle Larry's yachts have all been patched (Score:2)
Re: Uncle Larry's yachts have all been patched (Score:2)
For one stop going to Indian sweatshops and finding the cheapest outsourcer with teams of no real world experience
Well, at least they are being patched (Score:2)
Less high-profile companies may have just as many bugs in their "golden master" code but neither they nor "white-hat" outside groups are looking for them as hard as would with a high-profile company.
This means if I use a just-as-buggy product from a not-as-big company the only people who may know about the bugs are the people spear-phishing me and governments (which may be one in the same).
Hmm (Score:1)